HIPAA Compliance for IoT Security: What Devs Need to Know

Step One – Identifying Sensitive Data

The trivial solution to any data privacy question is to encrypt all data all the time, in transport and at rest. Practically speaking though, we have to answer the question – at what point does the data become sensitive?

There are various types of sensitive data. If the data doesn’t fall into one of these categories, security measures typically aren’t as critical.

In the case of collecting consumer data from IoT devices – particularly wearables – the biggest worry is whether or not the data is personally identifiable. Can this data be linked back to an individual? As soon as the answer to this question is “yes,” the data should be protected – and forgettable.

That’s right – not only should data be protected from malicious actors, but also from the people collecting it. According to the GDPR, each consumer has the “right to be forgotten.” This means if you’re collecting an individual’s data, you must be able to delete it such that “it is no longer possible to discern personal data without disproportionate effort.” Though the GDPR is only currently active in the EU, it may be adopted by other countries in the near future.

Step Two – Preventing IoT Security Risks 

When it’s been determined that data is sensitive, developers must ensure that it’s encrypted in transport (TLS), and at rest on their servers. You should use encryption methods approved by NIST or FIPS, many of which are freely available in open-source software packages.

When it comes to connected devices and wearables, there’s a larger attack surface to consider.

Recognize What Kinds of Data Could Be Compromised

First, IoT devices connecting to a server may have access to information about an individual user. That data could be personally identifiable and could also contain information about the individual’s health, making it protected health information (PHI). If it is possible for a malicious actor to impersonate a valid device, they may be able to gain access to that data.

The first line of defense? Design your architecture so that devices only “push” data to servers, and don’t have permission to pull it. If this is not possible, choose a secure machine-to-machine (M2M) authentication pattern such as Client-Side SSL.

Beware of Malicious Firmware 

Even if your server will never mistake a malicious device for one of your own, a bad actor might still be able to hijack your device by sending it a modified version of firmware over the air. This would give them access to all of the sensors collecting data from a targeted individual. To prevent this, firmware images should be cryptographically signed and verified by the device before it begins the update process.

Though they may not be essential to protecting consumer data, secure M2M authentication and firmware signing are critical to maintaining a healthy device infrastructure. Their use should be considered mandatory if a team wants to deliver a reliable product.

Open-source tools such as NervesHub and enterprise cloud solutions such as AWS IoT both support such technologies. They also provide solid documentation for their implementation.

Communicate Clearly with Consumers

Both consumers and producers of wearable devices should be aware of the implications of how data is used. Everyone should be clear about how the data will and will not be leveraged by the producers and their business customers.

Another consideration for IoT data is whether or not companies will use consumer data for algorithmic decision-making. For instance, a large producer of wearable technology might sell data to health insurance companies for the purpose of providing “discounts.” Consumers should be aware of this kind of activity. (It’s already happening in the auto insurance industry.)

What Data Should Be Protected for HIPAA IoT Compliance? 

Current HIPAA rules do not require wearables manufacturers to comply unless the data is being shared with a healthcare professional. If a wearable is not listed as HIPAA compliant, there may not be anything to worry about. Just make sure the company is encrypting data where necessary, gives you the authority to delete your data, and that it is clear about its use. Plenty of companies follow excellent data security practices but are not HIPAA compliant because the law doesn’t require it.

On the other hand, the biggest risk to consumers for non-HIPAA compliant data may be insurance companies. As mentioned above, insurers may access PHI data without users’ consent through a lucrative deal with a wearables manufacturer.

In this event, the GDPR would require full, clear disclosure of this fact. However, as mentioned, GDPR is currently only in effect for citizens of the EU. Other laws, including those in the US, are much less explicit for now.

Only You Can Prevent Security Breaches

How can brands offer privacy and security benefits to consumers in the wake of increasingly common security breaches?

Almost all security breaches stem from a failure to implement very standard encryption and security protocols in the proper places. The weakness of all security protocols, though, is human error.

In some data breaches, all encryption protocols were followed properly. However, individuals mistakenly left an encryption key in an easily accessible place. This renders the encryption methods useless.

In addition to documenting your data encryption strategies, companies should adopt and document proper procedures for handling and storing encryption keys. This will ensure that the keys don’t fall into the wrong hands.

As hackers get more sophisticated and brands explore what they can do with data, IoT developers have to stay current on security rules. If you’re looking for a team that can help you with proper IoT security, get in touch with us today.